HIPAA Compliance News

Doctors’ Management Services Settles OCR HIPAA Probe for $100,000

Posted by Steve Alder

The HHS’ Office for Civil (OCR) has agreed to a $100,000 settlement with Doctors’ Management Services to resolve an investigation of a ransomware attack and data breach that uncovered multiple potential violations of the HIPAA Security Rule.

Doctors’ Management Services (DMS) is a Massachusetts-based medical management company whose services include medical billing and payor credentialing. DMS identified an intrusion on December 24, 2018, when GandCrab ransomware was used to encrypt files on its network. The forensic investigation confirmed the attackers first gained access to its network on April 1, 2017.

According to DMS, the threat actor gained access to its network via Remote Desktop Protocol (RDP) on one of its workstations and potentially obtained names, addresses, dates of birth, Social Security numbers, insurance information, Medicare/Medicaid ID numbers, driver’s license numbers, and diagnostic information. The breach was reported to OCR on April 22, 2019, as affecting up to 206,695 individuals.

OCR opened an investigation of the breach to determine whether DMS had complied with the HIPAA Rules and uncovered multiple potential violations of the HIPAA Rules. In addition to the impermissible disclosure of the protected health information of 206,695 individuals, OCR determined that DMS had failed to conduct an accurate and thorough risk analysis to assess technical, physical, and environmental risks and vulnerabilities associated with the handling of ePHI.

DMS was also found to have failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. OCR also determined that DMS had not implemented reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule.

DMS agreed to settle the investigation with no admission of liability. Under the terms of the settlement, DMS has agreed to pay a $100,000 financial penalty and implement a corrective action plan (CAP) to resolve the potential HIPAA violations identified by OCR. The CAP includes requirements to update its risk analysis, risk management program, HIPAA Privacy and Security Rule policies and procedures, and workforce HIPAA training. In its settlement announcement, OCR also recommended several cybersecurity best practices that all HIPAA-regulated entities should implement to prevent and mitigate cyber threats.

OCR said this is the first HIPAA settlement agreement it has reached in response to a ransomware attack. Given the number of ransomware attacks in the past five years, which have increased by 278% since 2018, it is likely to be the first of many. “Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches,” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

October is Cybersecurity Awareness Month, and in recognition, OCR released a cybersecurity video that explains how HIPAA Security Rule compliance can help healthcare organizations improve their defenses against cyberattacks and block the most common attack vectors. CISA and the HHS have also recently released a cybersecurity toolkit, which includes key cybersecurity tools, training material, and other resources for strengthening security posture and keeping up to date on the latest threats. This month, CISA released a log management tool to help under-resourced organizations reduce their log management burden and search for signs of compromise, and CISA, the NSA, FBI, and MS-ISAC have issued joint guidance on blocking phishing.

It has never been more important to ensure appropriate cybersecurity measures are in place, given the 239% increase in data breaches due to hacking in the past 4 years and the extent to which healthcare records are now being breached. Breached records are up 60% on last year and, at the time of writing, 88 million healthcare records are known to have been breached so far in 2023.

The post Doctors’ Management Services Settles OCR HIPAA Probe for $100,000 appeared first on HIPAA Journal.

OCR Video Explains How to Improve Cybersecurity Defenses Through HIPAA Security Rule Compliance

Posted by Steve Alder

The HHS’ Office for Civil Rights has released a video in recognition of National Cybersecurity Awareness Month that explains how compliance with the HIPAA Security Rule can help HIPAA-regulated entities defend against cyberattacks. The video features Nick Heesters, Senior Advisor for Cybersecurity for the Health Information Privacy, Data, and Cybersecurity Division of the HHS’ Office for Civil Rights, who discusses some of the real-world cyberattack trends identified by OCR from breach reports.

There has been a massive increase in healthcare data breaches since the HIPAA Breach Notification Rule was enacted. In 2010, the first full year of breach report data, OCR received 199 reports of healthcare data breaches of 500 or more records. More than 700 data breaches were reported in both 2021 and 2022, and 2023 looks set to become the third successive year with more than 700 reported data breaches.

In the year to September 30, 2023, hacking and other IT incidents accounted for 77% of all large data breaches, compared to just 49% of incidents in 2009, and as of September 30, 2023, more than 79 million healthcare records have been exposed or impermissibly disclosed. There has been a 239% increase in hacking-related data breaches since 2018 and a 278% increase in ransomware incidents over the same period.

OCR investigates all breaches of 500 or more healthcare records to identify any HIPAA compliance issues that caused or contributed to breaches. Heesters explains some of the most common HIPAA compliance issues and security weaknesses that have been exploited by malicious actors to gain access to internal networks, focusing on the most common attack vectors such as phishing, compromised accounts, and unpatched vulnerabilities.

Heesters explains how specific provisions of the HIPAA Security Rule can help HIPAA-regulated entities protect against cyberattacks, detect attacks in progress, and mitigate the most common types of cyberattack, such as security awareness and training, authentication, access control, and risk analysis/risk management.

The video can be viewed on OCR’s YouTube Channel and is available in English and Spanish.

The post OCR Video Explains How to Improve Cybersecurity Defenses Through HIPAA Security Rule Compliance appeared first on HIPAA Journal.

HHS Publishes Proposed Rule Establishing Information Blocking Disincentives for Healthcare Providers

Posted by Steve Alder

The Centers for Medicare and Medicaid Services (CMS) at the Department of Health and Human Services (HHS) has published a long-awaited proposed rule that establishes disincentives for healthcare providers that have committed information blocking, as called for by the 21st Century Cures Act. Information blocking is classed as knowingly or unreasonably interfering with the access, exchange, or use of electronic health information, except as required by law or covered by a regulatory exception.

The Cures Act requires the Office of Inspector General (OIG) to refer healthcare providers determined by OIG to have committed information blocking to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking. On June 27, 2023, the HHS OIG published its final rule that implemented information blocking penalties of $1 million per violation for health information technology (IT) developers of certified health IT and other entities offering certified health IT, health information exchanges, and health information networks. The penalties took effect on August 2, 2023.

The latest HHS proposed rule establishes penalties for healthcare providers found to have committed information blocking. The proposed disincentives are as follows:

  • Medicare Promoting Interoperability Program: An eligible hospital or critical access hospital (CAH) would not be a meaningful electronic health record (EHR) user in an applicable EHR reporting period. The impact on eligible hospitals would be the loss of 75 percent of the annual market basket increase; for CAHs, payment would be reduced to 100 percent of reasonable costs instead of 101 percent.
  • Promoting Interoperability performance category of the Merit-based Incentive Payment System (MIPS): An eligible clinician or group would not be a meaningful user of certified EHR technology in a performance period and would therefore receive a zero score in the Promoting Interoperability performance category of MIPS, if required to report on that category. The Promoting Interoperability performance category score typically can be a quarter of a clinician or group’s total MIPS score in a year.
  • Medicare Shared Savings Program: A health care provider that is an Accountable Care Organization (ACO), ACO participant, or ACO provider or supplier would be deemed ineligible to participate in the program for a period of at least one year. This may result in a healthcare provider being removed from an ACO or prevented from joining an ACO.

The proposed rule will be published in the Federal Register on November 1, 2023. A 60-day comment period will follow, with the comments made accessible for public inspection. Comments must be submitted by no later than January 2, 2024, at 11:59 p.m. The HHS will consider all comments before publishing the final rule, which is expected to be issued later in 2024. The Office of the National Coordinator for Health Information Technology (ONC) and the CMS will host an information session about the proposed rule in the coming weeks.

“HHS is committed to developing and implementing policies that discourage information blocking to help people and the health providers they allow to have access to their electronic health information,” said HHS Secretary Xavier Becerra. “We are confident the disincentives included in the proposed rule, if finalized, will further increase the appropriate sharing of electronic health information and establish a framework for potential additional disincentives in the future.”

The post HHS Publishes Proposed Rule Establishing Information Blocking Disincentives for Healthcare Providers appeared first on HIPAA Journal.

September 2023 Healthcare Data Breach Report

Posted by Steve Alder

September was a much better month for healthcare data privacy, with the lowest number of reported healthcare data breaches since February 2023. In September, 48 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR), which is well below the 12-month average of 57 data breaches a month.

For the second successive month, there was a fall in the number of breached records, which dropped 36.6% month-over-month. Across the 48 reported data breaches, the protected health information of 7,556,174 individuals was exposed or impermissibly disclosed. September’s total was below the 12-month average of 7,906,890 records per month, but this year has seen two particularly bad months for data breaches. More healthcare records were exposed in May and June than were exposed in all of 2020!

The high number of breached records can partly be attributed to the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit solution, which is used by healthcare organizations and their business associates for transferring files. According to Emsisoft, which has been tracking the MOVEit data breaches, 2,553 organizations were affected by the attacks globally, and 19.2% of those were in the health sector. Most of these breaches are now believed to have been reported.

Largest Healthcare Data Breaches in September 2023

There were 16 data breaches reported in September that involved 10,000 or more records, four of which – including the largest data breach of the month – were due to the mass exploitation of the vulnerability that affected the MOVEit Transfer and MOVEit Cloud solutions (CVE-2023-34362). The healthcare industry continues to be targeted by ransomware and extortion gangs, including Clop, Rhysida, Money Message, NoEscape, Karakurt, Royal, and ALPHV (BlackCat). Three of the 10,000+ record data breaches were confirmed as ransomware attacks, although several more are likely to have involved ransomware or extortion. It is common for HIPAA-covered entities not to disclose details of hacking incidents.

While hacking incidents often dominate the headlines, the healthcare industry suffers more insider breaches than other sectors, and September saw a major insider breach at a business associate. An employee of the business associate Maximus was discovered to have emailed the protected health information of 1,229,333 health plan members to a personal email account.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Arietis Health, LLC FL Business Associate 1,975,066 Hacking/IT Incident MOVEit Hack (Clop)
Virginia Dept. of Medical Assistance Services VA Health Plan 1,229,333 Hacking/IT Incident Employee of a business associate (Maximus) emailed documents to a personal email account
Nuance Communications, Inc. MA Business Associate 1,225,054 Hacking/IT Incident MOVEit Hack (Clop)
International Business Machines Corporation NY Business Associate 630,755 Unauthorized Access/Disclosure MOVEit Hack (Clop)
Temple University Health System, Inc. PA Healthcare Provider 430,381 Hacking/IT Incident Hacking incident at business associate (no information released)
Prospect Medical Holdings, Inc. CA Business Associate 342,376 Hacking/IT Incident Rhysida ransomware attack
United Healthcare Services, Inc. Single Affiliated Covered Entity CT Health Plan 315,915 Unauthorized Access/Disclosure MOVEit Hack (Clop)
Oak Valley Hospital District CA Healthcare Provider 283,629 Hacking/IT Incident Hacked network server
Bienville Orthopaedic Specialists LLC MS Healthcare Provider 242,986 Hacking/IT Incident Hacked network server (data theft confirmed)
Amerita KS Healthcare Provider 219,707 Hacking/IT Incident Ransomware attack on parent company (PharMerica) by Money Message group
Community First Medical Center IL Healthcare Provider 216,047 Hacking/IT Incident Hacked network server
OrthoAlaska, LLC AK Healthcare Provider 176,203 Hacking/IT Incident Hacking incident (no information released)
Acadia Health, LLC d/b/a Just Kids Dental AL Healthcare Provider 129,463 Hacking/IT Incident Ransomware attack – Threat group confirmed data deletion
Founder Project Rx, Inc. TX Healthcare Provider 30,836 Hacking/IT Incident Unauthorized access to email account
Health First, Inc. FL Healthcare Provider 14,171 Hacking/IT Incident Unauthorized access to email account
MedMinder Systems, Inc. MA Healthcare Provider 12,146 Hacking/IT Incident Hacked network server

Data Breach Types and Data Locations

Hacking and other IT incidents continue to dominate the breach reports. In September, hacking/IT incidents accounted for 81.25% of all reported data breaches of 500 or more records (39 incidents) and 87.23% of the exposed or stolen records (6,591,496 records). The average data breach size was 169,013 records and the median data breach size was 4,194 records.

There were 9 data breaches classified as unauthorized access/disclosure incidents, across which 964,678 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 107,186 records and the median breach size was 2,834 records.

There were no reported incidents involving the loss or theft of paper records or electronic devices containing ePHI, and no reported incidents involving the improper disposal of PHI.

Given the large number of hacking incidents, it is no surprise that network servers were the most common location of breached protected health information. 7 incidents involved unauthorized access to email accounts.

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in September, with 30 healthcare providers reporting data breaches. There were 11 data breaches reported by business associates and 7 breaches reported by health plans. These figures do not tell the full story, as the reporting entity may not be the entity that suffered a data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate.

To better reflect this and to avoid the underrepresentation of business associates in the healthcare data breach statistics, the charts below show where the data breaches occurred rather than the entity that reported the data breach.

Business associate data breaches are often severe as if a hacker gains access to the network of a business associate, they can access the data of all clients of that business associate. In September the average size of a business associate data breach was 5,864,823 records (median: 2,729 records). The average size of a healthcare provider data breach was 1,372,101 records (median: 7,267 records), and the average health plan data breach involved 319,250 records (median: 2,834 records).

Geographical Distribution of Data Breaches

Healthcare data breaches of 500 or more records were reported by HPAA-regulated entities in 24 states. California, Florida, and New York were the worst affected states with 4 breaches each.

State Breaches
California, Florida & New York 4
Georgia, Illinois & Texas 3
Alabama, Connecticut, Massachusetts, Minnesota, Mississippi, Missouri, New Jersey, Pennsylvania & Virginia 2
Arizona, Arkansas, Indiana, Kansas, Kentucky, Maryland, Nevada, North Carolina & Tennessee 1

HIPAA Enforcement Activity in September 2023

All healthcare data breaches of 500 or more records are investigated by OCR to determine whether they were the result of non-compliance with the HIPAA Rules. OCR has a backlog of investigations due to budgetary constraints, and HIPAA violation cases can take some time to be resolved. In September, OCR announced that one investigation had concluded and a settlement had been reached. The case dates back to March 2014, when an online media source reported that members of the health plan were able to access the PHI of other members via its online member portal. The breach was reported to OCR as affecting fewer than 500 plan members and OCR launched a compliance review in February 2016. Three years later, another breach was reported – a mailing error, this time affecting 1,498 plan members.

OCR investigated LA Care Health Plan again and found multiple violations of the HIPAA Rules – A risk analysis failure, insufficient security measures, insufficient reviews of records of information system activity, insufficient evaluations in response to environmental/operational changes, insufficient recording and examination of activity in information systems, and an impermissible disclosure of the ePHI of 1,498 individuals. The case was settled, and LA Care Health Plan agreed to adopt a corrective action plan and pay a $1,300,000 penalty.

State attorneys general are also authorized to investigate healthcare data breaches and fine organizations for HIPAA violations. From 2019 to 2022, there were relatively few financial penalties imposed for HIPAA violations or equivalent violations of state laws, but there has been a significant increase in enforcement actions in 2023. Between 2019 and 2022 there were 12 enforcement actions by state attorneys general that resulted in financial penalties. 11 penalties have been imposed so far in 2023.

In September, three settlements were announced by state attorneys general. The first, and the largest, was in California, which fined Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals $49 million. Kaiser was found to have violated state laws by improperly disposing of hazardous waste and violating HIPAA and state laws by disposing of protected health information in regular trash bins.

The Indiana Attorney General announced that a settlement had been reached with Schneck Medical Center following an investigation of a data breach involving the PHI of 89,707 Indiana residents. The settlement resolved alleged violations of violations of the HIPAA Privacy, Security, and Breach Notification Rules, the Indiana Disclosure of Security Breach Act, and the Indiana Deceptive Consumer Sales Act. Schneck Medical Center paid a $250,000 penalty and agreed to improve its security practices.

The Colorado Attorney General announced that a settlement had been reached with Broomfield Skilled Nursing and Rehabilitation Center over a breach of the protected health information of 677 residents. The settlement resolved alleged violations of HIPAA data encryption requirements, state data protection laws, and deceptive trading practices. A penalty of $60,000 was paid to resolve the alleged violations, with $25,000 suspended, provided corrective measures are implemented.

The post September 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Issues Telehealth Guidance for Providers and Patients

Posted by Steve Alder

The HHS’ Office for Civil Rights has issued new guidance for healthcare providers to help them educate patients about privacy and security risks when using remote communications technologies for telehealth visits and recommendations for patients on how they can protect and secure their health information.

During the pandemic, healthcare providers massively expanded their telehealth services to ensure that patients could access the medical services they needed while reducing the risk of contracting COVID-19. OCR issued a Notice of Enforcement Discretion covering the good faith provision of telehealth services to make it easier for healthcare providers to provide telehealth services during the pandemic by using non-public-facing communications platforms that are not fully HIPAA compliant, such as platforms where vendors would not enter into business associate agreements. Now that the COVID-19 public health emergency has been declared over, OCR’s telehealth Notice of Enforcement Discretion has expired; however, OCR continues to support telehealth services, which have proven popular with both providers and patients.

Telehealth Privacy and Security Risks

Healthcare providers must ensure that the communications platforms they use for providing telehealth services support HIPAA compliance. Even when ‘HIPAA-compliant’ platforms are used for telehealth there are still privacy and security risks that must be addressed and reduced to a low and acceptable level. In the summer of 2022, ahead of the telehealth flexibilities coming to an end, OCR issued guidance for healthcare providers on HIPAA and audio-only telehealth services.

While HIPAA does not require healthcare providers to educate patients about the privacy and security risks associated with telehealth, a Government Accountability Office (GAO) review of the Medicare telehealth services provided during the COVID-19 – Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks – recommended OCR issue guidance to help healthcare providers explain the privacy and security risks associated with telehealth services to patients.

During the review, GAO identified numerous complaints that had been made about the use of non-compliant technology during the pandemic, more than 3 dozen complaints had been filed about the presence of third parties during appointments, and there were instances where providers shared PHI without obtaining patient consent. GAO concluded that there was a need for additional education and outreach to help providers explain the privacy and security risks to patients associated with telehealth to make sure that those risks are fully understood. OCR concurred with the recommendation and agreed to publish new guidance.

New OCR Telehealth Privacy and Security Resources

Two guidance resources were published by OCR on October 18, 2023. The first guidance document is for healthcare providers to help them educate patients about the privacy and security risks associated with remote communication technologies, and the second guidance document is for patients and offers tips on privacy and security when taking advantage of telehealth services.

The provider guidance – Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth – offers suggestions for healthcare providers to help them discuss the telehealth options offered, the potential risks to protected health information associated with remote communications technologies, the privacy and security practices of vendors telehealth communication tools, and the applicability of civil rights laws.

The patient guidance – Telehealth Privacy and Security Tips for Patients – offers recommendations for patients on how they can protect and secure their protected health information, such as the importance of conducting telehealth visits in private settings, activating multi-factor authentication, using encryption, and avoiding using public Wi-Fi networks.

“Telehealth is a wonderful tool that can increase patients’ access to health care and improve health care outcomes,” said OCR Director Melanie Fontes Rainer.  “Health care providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices so patients are confident that their health information remains private.”

The post OCR Issues Telehealth Guidance for Providers and Patients appeared first on HIPAA Journal.

Healthcare Clearinghouse Settles Multi-state HIPAA Investigation for $1.4 Million

Posted by Steve Alder

Inmediata has agreed to a $1.4 million settlement to resolve a multi-state investigation of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) and state breach notification laws.

On January 15, 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) notified the Puerto Rico-based healthcare clearinghouse that a server containing the protected health information that it maintained had not been properly secured, resulting in files being indexed by search engines that could be found, accessed, and downloaded by anyone with Internet access. The files on the server contained the protected health information of 1,565,338 individuals and some of those files dated as far back as May 2016.

The HIPAA Breach Notification Rule requires HIPAA-covered entities to issue notifications to individuals affected by a data breach without undue delay and no later than 60 days from the discovery of a data breach. Despite being notified about the breach by OCR, the primary HIPAA regulator, Inmediata waited three months to mail notification letters, and when notification letters were mailed, a mailing error occurred, resulting in letters being sent to incorrect addresses.

Many Americans are unaware of the services provided by healthcare clearinghouses as they do not have any direct contact with them. Healthcare clearinghouses such as Inmediata facilitate transactions between healthcare providers and insurers and are classed as HIPAA-covered entities, which means they must ensure they are fully compliant with the HIPAA Privacy, Security, and Breach Notification Rules. The multi-state investigation found the content of the letters to lack clarity which resulted in confusion for some consumers as to why Inmediata had their data and caused some individuals to dismiss the notification letters as illegitimate.

The multi-state investigation was led by the Indiana Attorney General, assisted by an Executive Committee consisting of the attorneys general in Connecticut, Michigan, and Tennessee. Alabama, Arizona, Arkansas, Colorado, Connecticut, Delaware, Georgia, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Tennessee, Utah, Washington, West Virginia and Wisconsin also participated.

The attorneys general alleged violations of the HIPAA Security Rule for failing to implement reasonable and appropriate data security safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information, a failure to conduct a secure code review at any point prior to the data breach, and violations of the HIPAA Breach Notification Rule and state data breach notification laws for failing to provide the affected individuals with timely and complete information about the data breach.

The $1.4 million settlement will be divided among the participating states and Inmediata has also agreed to strengthen its data security and breach notification practices. The requirements include the implementation and maintenance of a comprehensive information security program, which must include secure code reviews and search engine crawling controls. An incident response plan must also be developed that includes specific policies and procedures regarding consumer notification letters, and Inmediata must undergo annual third-party security assessments for the next five years. Last year, Inmediata settled a class action lawsuit over the data breach for $1.125 million.

“Inmediata maintained some of our most sensitive and private health information and they had an obligation to keep it secure. Their coding error left sensitive patient information exposed on public online searches for months, with no notification to impacted patients. Their failures violated numerous state consumer protection laws, breach notification laws, and HIPAA requirements. Our multistate settlement forces Inmediata to pay a significant fine and requires strong security practices going forward to ensure these types of inexcusable security lapses never occur again,” said Connecticut Attorney General, William Tong.

The post Healthcare Clearinghouse Settles Multi-state HIPAA Investigation for $1.4 Million appeared first on HIPAA Journal.

Patient Consent Not Required for Disclosures of PHI for Fundraising, Rules Minnesota Supreme Court

Posted by Steve Alder

Healthcare organizations in Minnesota are permitted to use patient data for fundraising purposes without obtaining patient consent, according to Minnesota Supreme Court Chief Justice Natalie Hudson.

The Supreme Court was petitioned to review a lower court’s decision to dismiss a lawsuit against Children’s Health Care, which does business as Children’s Hospital and Clinics (Children’s). Legal action was taken against Children’s following a data breach at a third-party vendor that was used for fundraising purposes. The plaintiffs, Kelly and Evarist Schneider, were informed that their child’s name, age, date of birth, and treatment details were in the healthcare provider’s fundraising database and had potentially been compromised. They believed the hospital should have obtained permission before disclosing their child’s protected health information to the foundation’s fundraising database and argued that the disclosure violated the Minnesota Health Records Act (MHRA).

The case concerned the interpretation of the MHRA, which prohibits the disclosure of protected health information without “specific authorization in law.” Children’s moved to have the lawsuit dismissed and argued that the federal Health Insurance Portability and Accountability Act (HIPAA) is a specific authorization in law and that HIPAA permits the disclosure of protected health information for fundraising purposes without patient consent.

The district court denied Children’s motion to dismiss, as while HIPAA was determined to be a specific authorization in law under the MHRA, it was unclear whether Children’s had complied with the privacy notice requirements of the HIPAA Privacy Rule. Children’s moved for summary judgment, which the district court granted. The district court reiterated its conclusion that the disclosure was permitted under the MHRA and HIPAA and found there was no dispute about whether the required privacy practices had been provided. The court of appeals affirmed the district court’s ruling.

The plaintiffs argued that states are permitted to implement more stringent privacy regulations than HIPAA and that the MHRA preempted the HIPAA fundraising exception; however, the court of appeals rejected that argument as the MHRA was determined not to be more stringent than HIPAA with respect to disclosures of protected health information for fundraising purposes. The plaintiffs petitioned the Supreme Court for review on whether the MHRA’s reference to a “specific authorization in law” includes the fundraising exception in the HIPAA Privacy Rule. Chief Justice Hudson ruled that the HIPAA Privacy Rule permits a hospital to disclose a patient’s protected health information to a foundation or business associate for fundraising purposes without requiring patient consent and that HIPAA is a “specific authorization in law” under the Minnesota Health Records Act.

The post Patient Consent Not Required for Disclosures of PHI for Fundraising, Rules Minnesota Supreme Court appeared first on HIPAA Journal.

Schneck Medical Center Settles HIPAA Lawsuit with Indiana AG

Posted by Steve Alder

Seymour, IN-based Schneck Medical Center has settled a lawsuit with the Indiana attorney general, Todd Rokita, over a 2021 ransomware attack and data breach that affected 89,707 Indiana residents. Schneck Medical Center has agreed to pay a penalty of $250,000 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws and will implement additional safeguards to prevent further data breaches.

According to the lawsuit, Schneck Medical Center conducted a risk analysis in December 2020 which revealed many critical security issues, but Schneck Medical Center failed to address them. 9 months later, on or around September 29, 2021, security flaws were exploited by a malicious actor who gained access to the network, exfiltrated sensitive patient data, and then deployed ransomware to encrypt files. The information stolen in the attack included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, payment card information, diagnoses, and health insurance information.

Schneck Medical Center was quick to alert patients to the cyberattack through a statement on its website on September 29, 2021; however, the Indiana AG alleged that Schneck Medical Center failed to disclose the risk patients faced and did not encourage them to take steps to protect themselves against identity theft and fraud, even though Schneck Medical Center was aware at the time that a large quantity of sensitive data had been stolen.

Another statement was released two months later on November 26, 2021, confirming that files had been stolen in the attack; however, Schneck Medical Center failed to disclose that protected health information had been exposed, despite being aware that PHI had been stolen. Schneck Medical Center also failed to issue timely individual notifications, which were not mailed until May 13, 2022 – 226 days after the discovery of the data breach. Schneck Medical Center also claimed in a May 13, 2022, substitute breach notice that data theft was discovered on March 17, 2022, when Schneck Medical Center was aware on September 29, 2023, that data had been stolen.

The Indiana attorney general alleged multiple violations of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule and violations of the Indiana Disclosure of Security Breach Act and the Indiana Deceptive Consumer Sales Act.

Schneck Medical Center Compensates Patients for Losses

Schneck Medical Center has also recently settled a consolidated class action lawsuit for $1.3 million. Two lawsuits were filed in response to the ransomware attack and data breach by patients Jalen Nierman, Bryce Sheaffer, Jennifer Renoll, Patricia White, and Nigel Myers who sought compensation for the data breach. The plaintiffs alleged Schneck Medical Center failed to implement reasonable and appropriate safeguards to ensure the confidentiality of patient data. Schneck Medical Center agreed to a settlement with no admission of wrongdoing.

Under the terms of the settlement, class members are entitled to claim up to $500 in ordinary expenses, including up to 4 hours of lost time at $15 per hour. Individuals who incurred extraordinary expenses due to the data breach can claim up to $6,000. Claims may be paid pro rata, depending on the number of claims received. The settlement also includes 27 months of free credit monitoring and identity theft protection services and coverage through a $1 million identity theft insurance policy.

The post Schneck Medical Center Settles HIPAA Lawsuit with Indiana AG appeared first on HIPAA Journal.

L.A. Care Health Plan Settles Multiple HIPAA Violations for $1.3 Million

Posted by Steve Alder

The Local Initiative Health Authority for Los Angeles County, operating as L.A. Care Health Plan, has settled multiple violations of the HIPAA Privacy and Security Rules with the HHS’ Office for Civil Rights (OCR) and will pay a $1,300,000 penalty and adopt a robust corrective action plan.

L.A. Care Health Plan is the largest publicly operated health plan in the United States and has more than 2.7 million members. OCR said it launched two separate investigations of L.A. Care Health Plan to assess the state of HIPAA compliance, the first of which was in response to a media report about impermissible disclosures of protected health information (PHI) via its member portal and the second was in response to a breach that was reported to OCR involving the PHI of 1,498 members.

In 2016, a media outlet reported that members of the health plan were able to access the protected health information (PHI) of other members via the online member portal over a 2-day period in 2014 due to a manual processing error. OCR informed L.A. Care Health Plan it had initiated a compliance review and in February 2016, L.A. Care Health Plan reported the breach to OCR as affecting fewer than 500 individuals. In March 2019, L.A. Care Health Plan notified OCR about a 1,498-record data breach caused by a mailing error that saw members receive the ID cards of other health plan members.

OCR determined that there had been several failures to fully comply with the requirements of the HIPAA Privacy and Security Rules. The resolution agreement lists 6 potential HIPAA violations identified by its investigators.

  1. A failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).
  2. A failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level – 45 C.F.R. § 164.308(a)(1)(ii)(B).
  3. A failure to implement sufficient procedures to regularly review records of information system activity – 45 C.F.R. § 164.308(a)(1)(ii)(D).
  4. A failure to perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI – 45 CFR F.R. § 164.308(a)(8).
  5. A failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI – 45 C.F.R. 164.312(b).
  6. The impermissible disclosure of the ePHI of 1,498 individuals – 45 C.F.R. § 164.502(a).

L.A. Care Health Plan chose to settle the investigations with no admission of liability and agreed to pay a $1,300,000 financial penalty and adopt a corrective action plan to correct the alleged HIPAA violations. The corrective action plan includes the requirement to conduct a comprehensive, organization-wide risk analysis, develop a risk management plan, develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, report to OCR when evaluations of environmental and operational changes are conducted, and to report HIPAA violations by employees to OCR within 30 days.

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer.  “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.  Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

The post L.A. Care Health Plan Settles Multiple HIPAA Violations for $1.3 Million appeared first on HIPAA Journal.